Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c7c64bfca5efc42…

MALICIOUS

PDF

81.1 KB Created: 2009-07-17 18:58:01 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 590690d6090146763fe2b4a944dce75b SHA-1: 7ebe4a66670485cd806b64af9e3c9fd8492dfddf SHA-256: 9c7c64bfca5efc42b428d5214e4f1ed3d2abaa4af69ccdfdc338d3d090bbe874
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits multiple JavaScript-related heuristic firings, including embedded JS streams and JavaScript actions, indicating malicious intent. The ClamAV detection 'Heuristics.PDF.ObfuscatedNameObject' further supports this. The presence of obfuscated JavaScript suggests the file is designed to download and execute a secondary payload, a common technique for initial access.

Heuristics 5

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0015_000.js
7c99ece7a8ef905c47a4bbec2793cecf0714c8681897580fa15cfc3b8262f6ec		 pdf-javascript-stream PDF /JS object 15 at offset 0x115FE 44394 bytes
javascript_obj0016_001.js
daeb7d809427a0fb7402f8c13698ddb8cf6f200b93ec7476bfd4ff3310403f79		 pdf-javascript-stream PDF /JS object 16 at offset 0x13E79 271 bytes
javascript_obj0017_002.js
c62979246ab8fce11f139080362fa69c880eea703ad4ca8c068588aa8fe68ce5		 pdf-javascript-stream PDF /JS object 17 at offset 0x13FA0 268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.